20180 policies in database
Link to program      
Magic logo



Magic Bug Bounty Program


Magic is a developer SDK that you can integrate into your application to enable passwordless authentication using magic links, WebAuthn, OAuth, and other authentication tools.

Magic also builds a robust and distributed key management solution that supports this authentication infrastructure.

When users want to sign up or log in to application, the typical flow is:

  • User requests a magic link sent to their email address

  • User clicks on that magic link

  • User is securely logged into the application

  • If it's a web application, users are logged into the original tab, even if the user clicked on the magic link on a different browser or mobile device!


Magic also supports and builds Fortmatic, a cryptocurrency wallet integrated with many leading blockchain companies around the world.


As part of Magic's mission and security overview,

we want to improve the developer experience of authentication, while keeping safety and security top of mind for all developers. We recognize the importance of maintaining security in our services in order to keep our users safe.

With this bounty program, we encourage researchers to discover security flaws in our systems. These can cover almost any aspects of the product, from SDKs, APIs, public-facing codebases, user interfaces, developer dashboards, and more.

Both Magic and Fortmatic's products are under scope for testing.

We’d like to highlight the following highest priority assets as a focal point for this Bug Bounty Program:**

  • Developers and users sensitive information

  • Asset security

  • Key Management systems

  • New / Beta features

Program Policy

Complying with the Bug Bounty Program policy requires researchers to adhere to our “Disclosure Policy” section below.

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

  • Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.

  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

  • Please DO NOT perform testing on OUT OF SCOPE assets. Reports for out of scope assets will be closed as N/A, resulting in negative reputation gain.

Test Account Creation

The best way to get started with the program is to navigate to our developer dashboard and sign-up for a developer account. This will give you access to API keys which can be used to access our assets as well as a comprehensive set of docs to get started. Futhermore, as the dashboard is an in-scope asset, you may just find inspiration for an exploit while signing up and familiarizing yourself with it's features.

Response Targets

Fortmatic Inc. will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days

  • Time to triage (from report submit) - 2 business days

  • Time to bounty (from triage) - 14 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

In addition, we ask that the following policies be adhered to as well:

  • Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts.

  • Reporting vulnerabilities with no conditions, demands, or ransom threats.

In scope vulnerabilities

In this bounty program, all software vulnerabilities in services provided are considered in scope. Please visit our documentation to get you set up with our products (you'll be up and running in <5 minutes). You will be testing with the API test keys that we provide, when you interact with our product for the first time there will be 1 test ETH seeded into your wallet, this should allow you plenty of opportunities to interact with our modal and attempt to discover vulnerabilities.

Please refer to the structured scopes section below to find our in-scope assets.

We will put more emphasis on the following security vulnerabilities:

  • Log in as a user without their confirmation

  • Modify user sensitive data

  • Unauthorized user digital assets transfer

Known Vulnerabilities

  • Rate limiting is not in place on all areas that could benefit, and so attacks that would be deterred by rate limiting are out of scope.

Out of scope vulnerabilities

All vulnerabilities that require or are related to the following are out of scope:

  • Hijacking developer API public keys

  • Domain spoofing

  • DDoS on our systems as well as our providers systems (i.e SMS provider)

  • Social engineering

  • Physical security

  • Previously known vulnerable libraries without a working Proof of Concept

  • Non-security-impacting UX issues

  • Man-in-the-Middle attacks

  • Ability to abuse any existing blockchain functionality

  • Features/links that lead to or are provided by external providers i.e our Typeform integrations, developer docs, etc.

Additionally, out of scope

  • Our API endpoints (api.fortmatic.com and api.magic.link) are out of scope for DDoS (any activity that could lead to the disruption of our service)

  • Any other subdomain that is not listed in the structured scopes section below

Safe Harbor

To encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

If legal action is initiated by a third party against you and you have complied with this bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.

You are expected, as always, to comply with all applicable laws.

Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

This document contains material from the #legalbugbounty project, which can be found on github.

Privacy Policy

The collection of information in Magic's product is bound by the terms described in our Privacy Policy

In Scope

Scope Type Scope Name

Account Settings


Login with SMS - Feature


Magic and Fortmatic Products















Out of Scope

Scope Type Scope Name










This program crawled on the 2021-10-08 is sorted as bounty.

FireBounty © 2015-2021

Legal notices